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(54) Title: SYSTEM AND METHOD FOR REMOTELY MONITORING WIRLESS NETWORKS 

es 

(57) Abstract: A system for monitoring a wireless network is provided. The system includes a security network including a plurality 
^ of monitoring devices coupled to a centralized security manager. The security network is operable to manage access to a data network 
O associated with a plurality of authorized devices. Each monitoring device is operable to receive packets communicated from one or 
^ more wireless device and communicate one or more of the packets to the centralized security manager. Each packet is associated with 
a communication session. The centralized security manager is operable to receive and analyze the one or more packets communicated 
from each monitoring device. The centralized security manager is further operable to determine whether a particular communication 
^ session is valid based on the analysis of at least one particular packet associated with a particular wireless device, and to communicate 
^ an alert if the particular communication session is not valid. 
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access to the wireless LAN. In addition, if the attacker can sniff the wireless traffic, 
he may also be able to inject false traffic into the network. Thus, the attacker may be 
able to issue commands on behalf of the authorized user by injecting traffic into the 
network and hijacking the authorized user's session. Using this technique, the 
5 attacker may trick the network into passing sensitive data from the backbone of the 
network to the attacker's wireless station. The attacker may thus gain access to 
sensitive data that normally would not be sent over the wireless LAN. 

Another security risk of using wireless LANs involves unauthorized devices 
being placed on the wireless LAN. For example, an internal employee wanting to add 
10 his own wireless capabilities to a wired network may plug his own base station or 
access point into the wired network. This may create a security risk if the added 
access point has not been properly configured, as attackers may gain access to the 
network through the unauthorized access point. Alternatively, an attacker may 
physically place a base station or access point on the network providing the attacker 
1 5 remote access to the network using wireless communications. 
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is operable to manage access to a data network associated with a plurality of 
authorized devices. Each monitoring device is operable to receive packets 
communicated from one or more wireless device and select one or more of the 
received packets to be analyzed. Each packet is associated with a communication 
5 session. Each monitoring device is further operable to determine whether the 
selected packets are to be analyzed locally or by the centralized security manager. 
Each monitoring device is further operable to communicate the selected packets to the 
centralized security manager if it is determined that the selected packets are to be 
analyzed by the centralized security manager. Each monitoring device is further 

10 operable to analyze the selected packets if it is determined that the selected packets 
are to be analyzed locally, and to determine whether the communication session is 
valid based on the analysis of the selected packets. The centralized security manager 
is operable to receive the selected packets from the monitoring device if it is 
determined that the selected packets are to be analyzed by the centralized security 

15 manager, analyze the received selected packets, and determine whether the 
communication session is valid based on the analysis of the received selected packets. 

According to yet another embodiment, a method of validating a 
communications session in a wireless network is provided. The method includes 
receiving one or more packets communicated from a wireless device at a monitoring 

20 devices operable to monitor at least a portion of a network including a plurality of 
authorized devices. The one or more packets are associated with a communication 
session. The method further includes determining whether the communication 
session is valid, which includes determining the manufacturer of the wireless device 
based on the one or more packets, determining whether the manufacturer of the 

25 wireless device matches the manufacturer of at least one of the plurality of authorized 
wireless clients, determining whether the wired equivalency privacy (WEP) 
associated with the wireless device is turned on, and determining whether the MAC 
address of the wireless device matches the MAC address of any of the plurality of 
authorized wireless devices. 
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turned on, deteimining whether the SSK> of the wireless access point matches the 
SSID of the authorized access points, determining whether the BSS MAC address of 
the wireless access point matches the BSS MAC address of one of the authorized 
access points, and determining whether the wireless access point is broadcasting. 

Still another advantage is that the local wireless monitors may also be operable 
to analyze packets to detect unauthorized communication sessions, such as in a 
situation in which a connection to the centralized security manager is not currently 
available. The centralized security manager as well as each wireless monitor may 
have a database of authorized communication sessions, access points, and wireless 
clients. The centralized security manager may communicate with each wireless 
monitor to keep their respective database updated or synchronized. 

Other technical advantages will be readily apparent to one having ordinary 
skill in the art from the following figures, descriptions, and claims. 

15 BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention and for further 
features and advantages, reference is now made to the following description, taken in 
conjunction with the accompanying drawings, in which: 

FIGURE 1 illustrates a system for remotely monitoring wireless networks in 
20 accordance with an embodiment of the present invention; 

FIGURE 2 illustrates an example wireless monitor in accordance with an 
embodiment of the present invention; 

FIGURE 3 illustrates an example centralized security manager in accordance 
with an embodiment of the present invention; 
25 FIGURE 4 is a top view of a floor in a building, illustrating an example 

configuration of a portion of wireless LAN and a campus security network in 
accordance with an embodiment of the present invention; 

FIGURE 5 illustrates a method of monitoring communication sessions in a 
wireless network, such as a wireless LAN, in accordance with an embodiment of the 
30 present invention; 
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network 12. Data network 12 may be any network in which data may be 
communicated and may in particular embodiments include a plurality of campuses 16 
connected to a communications network 18. Each campus 16 may include one or 
more local area networks (LANs), metropolitan area networks (MANs), wide area 
5 networks (WANs), portions of the internet, or any other appropriate wireline, optical, 
wireless, or other links. 

In the embodiment shown in FIGURE 1, one particular campus 16 includes a 
wireless LAN 20 having a two-level hierarchical topology. In this embodiment, 
wireless LAN 20 includes a plurality of authorized wireless base stations, or access 

10 points, 22 connected to a campus backbone network 24. Authorized access points 22 
may include any device capable of receiving and/or transmitting wireless 
communications. Each authorized wireless access point 22 provides a number of 
authorized mobile stations, or clients, 26 a point of access to data network 12. Thus, 
authorized clients 26 may communicate with authorized access points 22 using 

15 wireless communications to gain access to data network 12. Authorized clients 26 
may include personal computers (PCs), laptops, handheld devices such as personal 
digital assistants (PDAs), or any other device capable of transmitting and/or receiving 
wireless communications. 

The number of authorized clients 26 connected to data network 12 through 

20 each authorized access point 22 may vary over time as authorized clients 26 initiate, 
establish, and terminate communication sessions with data network 12. In some 
embodiments, each authorized client 26 may gain access to data network 12 through 
any authorized access point associated with wireless LAN 20. 

Campus backbone network 24 may include any network suitable to 

25 communicate with authorized access points 22. In some embodiments, campus 
backbone network 24 comprises a wired local area network (LAN) based on any of a 
variety of protocols, such as Ethernet, token ring, or fiber distributed data interface 
(FDDI) protocols, and including any of a variety of topologies, such as bus, ring, star, 
or tree topologies, for example. As discussed above, campus backbone network 24 

30 may be connected to communications network 18 such that the particular campus 16 
may communicate with the other campuses 16. Communications network 18 may 



BNSDOCID: <WO__200402373QA2J_> 



WO 2004/023730 



PCT/US2003/027644 



10 



However, as discussed below in greater detail, security network 14 is operable to 
identify rogue access points 36 and act accordingly to reduce or eliminate their 
potential security risks. 

In addition to unauthorized access points, unauthorized clients pose a threat to 
5 security. For example, as shown in FIGURE 1, an attacker with an unauthorized 
client 38 (such as a laptop or PDA, for example) may attempt to access data network 
12 through one or more authorized access points 22. For example, if the area of 
coverage of an authorized access point 22 located within a building extends outside of 
the building, an attacker located outside the building but within the area of coverage 
10 may attempt to access data network 12 through the authorized access point 22 using 
the unauthorized client 38. For example, an attacker may be able to detect, or "sniff," 
security information, such as password information or security key information, from 
wireless signals being communicated between the authorized access point 22 and 
authorized clients 26. The attacker may then be able to use the security information to 
15 masquerade as an authorized client 26 in order to access data network 12 through the 
authorized access point 22. The attacker may also be able to inject false traffic from 
the unauthorized client 38 into data network 12 via the authorized access point 22 in 
order to hijack an authorized communication session. In addition, the attacker may 
use an arpspoof technique to trick data network 12 into passing sensitive data to 
unauthorized client 38 that would not ordinarily be sent over a wireless link. 
However, as discussed below in greater detail, security network 14 is operable to 
identify unauthorized clients 38 and to act accordingly to reduce or eliminate their 
potential security risks. 

Thus, security network 14 is generally operable to provide security to data 
25 network 12 by reducing or eliminating the security risks associated with rogue access 
points 36 and unauthorized clients 38. In some embodiments, security network 14 is 
operable to monitor wireless communications associated with wireless LANs 20 and 
to identify invalid or unauthorized communication sessions (in other words, 
communications sessions involving a rogue access point 36 and/or an unauthorized 
30 client 38), and to prevent such invalid or unauthorized communication sessions. 



20 
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communication session associated with wireless LAN 20. For example, the packet 
may have been communicated by an authorized or unauthorized client 26 or 38 and 
may concern a request by the client 26 or 38 to establish a communication session 
with a particular authorized or rogue access point 22 or 36. As another example, the 
packet have been broadcast from an authorized or rogue access point 22 or 36 and 
intended for one or more authorized or unauthorized clients 26 or 38. As another 
example, the packet may have been communicated from an authorized or rogue 
access point 22 or 36 in response to a communication received from an authorized or 
unauthorized client 26 or 38. The term "packet" is intended to include any group or 
bundle of data, such as a datagram, frame, message, segment, or cell, for example, 
which may be transmitted by any one or more types of communications media, such 
as wireline, optical, wireless, or any other type of communications links. 

Packet filtering module 62 may be operable to filter packets collected by 
packet sniffing module 60 to determine relevant, or interesting, packets. Interesting 
packets may include packets concerning the authentication, authorization, and/or 
establishment of a communication session, such as packets communicated by 
authorized and rogue access points 22 and 36 and/or authorized and unauthorized 
clients 26 and 38 during key exchange handshaking, for example. In some 
embodiments, relevant or interesting packets selected by packet filtering module 62 
generally do not include traffic data packets communicated after a communication 
session is established. In a particular embodiment, packet filtering module 62 may 
select as relevant or interesting based on whether particular types of encryption are 
turned on or off on the wireless device from which particular packets were received. 

Packet routing module 64 may be operable to determine whether particular 
selected as relevant or interesting by packet filtering module 62 are to be analyzed 
locally by the packet analysis module 66 of the wireless monitor 32 or communicated 
to and analyzed by centralized security manager 30. In particular embodiments, this 
determination comprises determining whether a connection between the particular 
wireless monitor 32 and centralized security manager 30 is available such that the 
wireless monitor 32 may communicate the interesting packets to centralized security 
manager 30 for analysis. A connection to centralized security manager 30 may not be 
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Countermeasure module 70 may be operable to initiate or direct a 
countermeasure in response to an invalid or unauthorized communication session 
determined by packet analysis module 66. For example, if an unauthorized client 38 
is identified, countermeasure module 70 may be operable to disassociate the 
unauthorized client 38 from all authorized access points 22 associated with wireless 
LAN, thus preventing the unauthorized client 38 from gaining access to the data 
network 12 through any authorized access points 22. As another example, 
countermeasure module 70 may redirect unauthorized client 38 to a honey pot which 
may trick unauthorized client 38 into believing that unauthorized client 38 is 
progressing through the actual data network 12. This technique may be used to keep 
unauthorized client 38 connected long enough to contact security personnel or law 
enforcement and/or to detect the methods of attack used by unauthorized client 38 in 
order to deter or prevent future attacks. In particular embodiments, countermeasure 
module 70 is operable to initiate or direct such countermeasures in response to 
commands received from appropriate security personnel. In other embodiments, 
countermeasure module 70 may be operable to automatically initiate or direct such 
countermeasures (in other words, without direction from security personnel) if an 
invalid or unauthorized communication session is identified. 

Session database 72 may store a record of one or more authorized and/or or 
unauthorized communications sessions associated with wireless LAN 20 or data 
network 12. In addition, wireless monitor 32 may communicate such records to 
centralized security manager 30. For example, in a situation in which particular 
interesting packets are analyzed locally because a communication link to send the 
packets to centralized security manager 30 is not currently available, packet analysis 
module 66 may identify authorized communication sessions, generate records 
regarding each identified authorized session, and store the records session database 
72. Wireless monitor 32 may later communicate records stored in session database 72 
to centralized security manager 30 after the connection between the wireless monitor 
32 and centralized security manager 30 has been restored. In addition, centralized 
security manager 30 may send records to session database 72 at particular times such 
that session database 72 may be updated. 
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may first determine whether the communication session with which the interesting 
packet is associated is a new communication session or an already established 
communication session, then determine whether the packet was originally 
communicated from a wireless client (such as an authorized or unauthorized client 26 
5 or 38) or from a wireless access point (such as an authorized or rogue access point 22 
or 36), and then determine whether the communication session is a valid or authorized 
session based on further analysis of the packet. 

To determine whether the communication session is a new communication 
session or an already established communication session, packet analysis module 82 

10 may first determine whether the packet is a data packet or a beacon packets. A 
beacon packet may be a packet communicated in a beacon broadcast by a wireless 
access point or client, such as a beacon broadcast by a wireless client searching for an 
wireless access point with which to communicate. Data packets may include packets 
communicated by a wireless access point or client in any manner other than a beacon 

15 broadcast. After determining whether the packet is a data packet or a beacon packet, 
packet analysis module 82 may then determine which portions of the packet are 
interesting and split the packet to extract the interesting portions. Packet analysis 
module 82 may then format the extracted interesting portions such that the interesting 
portions may be properly analyzed. Packet analysis module 82 may then compare the 

20 formatted interesting portions with a database of information to determine whether the 
communication session with which the interesting packet is associated is a new 
communication session or an already established communication session. In 
particular embodiments, packet analysis module 82 may then compare the formatted 
interesting portions with a beacon packet information database if the packet is a 

25 beacon packet and a data packet information database if the packet is a data packet. 

In some embodiments, centralized security manager 30 is generally operable 
to prevent the establishment of unauthorized communication sessions in real time. 
Thus, centralized security manager 30 may not be concerned with packets associated 
with communication sessions identified as established communication sessions by 

30 packet analysis module 82. Thus, if packet analysis module 82 determines that the 
communication session discussed above is an established communication session, 
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of the wireless client does not match the manufacturer of any authorized client 26, 
packet analysis module 82 may determine that the wireless client is an unauthorized 
client 38 and that the communications session is thus invalid or unauthorized. 

Packet analysis module 82 may also determine whether one or more particular 
5 security measures are turned on or off. For example, packet analysis module 82 may 
determine whether the wired equivalent privacy (WEP) associated with the wireless 
client is turned on or off. Packet analysis module 82 may be operable to determine 
whether the WEP is turned on or off based on a particular bit in the packet header. In 
particular embodiments, if packet analysis module 82 determines that the WEP is 
10 turned off, packet analysis module 82 may determine that the wireless client is an 
unauthorized client 38 and that the communications session is thus invalid or 
unauthorized. 

In particular embodiments, packet analysis module 82 may also determine 
whether the MAC address of the wireless client matches the MAC address of any of 
1 5 the authorized clients 26. For example, authorized device database 88 may include a 
list of the MAC address for each authorized client 26, and packet analysis module 82 
may compare the MAC address of the wireless client with the list. If the MAC 
address of the wireless client does not match the MAC address of any authorized 
client 26, packet analysis module 82 may determine that the wireless client is an 
unauthorized client 38 and that the communications session is thus invalid or 
unauthorized. 

Thus, regarding packets originally communicated from a wireless client, 
packet analysis module 82 may determine whether a communication session is valid 
or authorized based at least on one or more of the determinations discussed above, 

25 namely, whether the manufacturer of the wireless device matches the manufacturer of 
any of the authorized clients 26, whether the WEP associated with the wireless client 
is turned on, and whether the MAC address of the wireless device matches the MAC 
address of any of the authorized clients 26. In a particular embodiment, packet 
analysis module 82 may determine that a particular communication session is valid or 

30 authorized only if the manufacturer of the wireless client matches the manufacturer of 
at least one authorized client 26, the WEP associated with the wireless client is turned 
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wireless access point with the list. If the BSS MAC address of the wireless access 
point does not match the BSS MAC address of any authorized access point 22, packet 
analysis module 82 may determine that the wireless access point is an unauthorized 
access point 36 and that the communications session is thus invalid or unauthorized. 

In addition, packet analysis module 82 is also operable to determine whether 
the wireless access point is broadcasting. In particular embodiments, authorized 
access points 22 are configured to respond to communications received Scorn wireless 
devices, but to not broadcast signals. In such embodiments, if packet analysis module 
82 determines that the wireless access point is broadcasting signals, packet analysis 
module 82 may determine that the wireless access point is an unauthorized access 
point 36 and that the communications session is thus invalid or unauthorized. 

Thus, regarding packets originally communicated from a wireless access 
point, packet analysis module 82 may determine whether a communication session is 
valid or authorized based at least on one or more of the determinations discussed 
above, namely, whether the manufacturer of the wireless device matches the 
manufacturer of any of the authorized access points 22, whether the WEP associated 
with the wireless access point is turned on, whether the SSID of the wireless device 
matches the SSID of the authorized access points 22, whether the BSS MAC address 
of the wireless device matches the MAC address of any of the authorized access 
points 22, and whether the wireless access point is broadcasting signals. In a 
particular embodiment, packet analysis module 82 may determine that a particular 
communication session is valid or authorized only if the manufacturer of the wireless 
access point matches the manufacturer of at least one authorized access point 22, the 
WEP associated with the wireless access point is turned on, the SSID of the wireless 
access point matches the SSID of the authorized access points 22, the MAC address 
of the wireless access point matches the MAC address of one of the authorized access 
points 22, and the wireless access point is not broadcasting. 

It should be understood that packet analysis module 66 of each wireless 
monitor 32 may be operable to perform one, some, or all of the functions operable to 
be performed by packet analysis module 82 of centralized security manager 30. For 
example, each wireless monitor 32 may include similar or identical software as 
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FIGURE 4 is a top view of a floor in an office building, illustrating an 
example configuration of at least a portion of wireless LAN 20 and campus security 
network 28. A plurality of authorized access points 22 connected to campus 
backbone network 18 are geographically dispersed to create a particular area of 
coverage to support wireless communications with authorized mobile clients 26 The 
area of coverage 52 of each authorized access point 22 may depend on a variety of 
factors, such as the characteristics of the particular authorized access point 22 the 
location of the authorized access point 22 within building 50, and the presence of 
physical structures which may obstruct wireless communications in the vicinity of the 
authorized access point 22, for example. The area of coverage 52 of each authorized 
access point 22 may also extend in a vertical direction, and may thus provide 
coverage for more than one floor of building 50. As shown in FIGURE 4, the area of 
coverage 52 of particular authorized access points 22 may extend beyond one or more 
outer walls of building 50, thus potentially providing authorized and unauthorized 
chents 26 and 38 access to data network 12 through such authorized access points 22 
For example, as shown in FIGURE 4, an unauthorized client 38a may be located 
outs.de of building 50 but within the area of coverage 52 of a particular authorized 
access pent 54 of the authorized access points 22, and thus able to communicate with 
the particular authorized access point 54. Thus, unauthorized mobile client 38a may 
attempt to access data network 12 via authorized access point 54 while remaining 
outside building 50. 

h addition, one or more rogue access points 36 may also be connected to 
campus backbone network 18. As discussed above with reference to FIGURE 1 
rogue access points 36 may be connected to campus backbone network 24 by internal' 
employees desiring mobile access to data network 12 or by an outside attacker 
desiring access to data network 12. Rogue access points 36 may also include access 
pomts that were authorized to be connected to campus backbone network 24, but are 
unconfigured in some way. The area of coverage 52 of a rogue access point 36 may 
extend outside building 50, thus potentially providing authorized and unauthorized 
chents 26 and 38 access to data network 12 through the rogue access point 36 For 
example, as shown in FIGURE 4, an unauthorized client 38b may be located outside 
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(such as authorized mobile clients 26). The one or more packets of information may 
be associated with a communication session, as discussed above with reference to 
FIGURE 2. 

At step 202, the monitoring device may filter the one or more received packets 
5 to select a relevant, or interesting, packet. For example, interesting packets may 
include packets concerning the authentication, authorization, and/or establishment of 
a communication session, such as packets communicated during key exchange 
handshaking, for example. 

At step 204, it is determined whether a connection between the monitoring 

10 device and a centralized security manager is available such that the monitoring device 
may communicate the interesting packet to the centralized security manager for 
analysis. If it is determined at step 204 that a connection between the monitoring 
device and the centralized security manager is not available, the monitoring device 
may analyze the interesting packet locally at step 206 to determine whether the 

15 communication session with which the interesting packet is associated is valid or 
authorized. Alternatively, if it is determined at step 204 that a connection with the 
centralized security manager is available, the interesting packet is sent from the 
monitoring device to the centralized security manager at step 208. For example, in 
the embodiment shown in FIGURE 1, the interesting packet may be communicated 

20 from the monitoring device to the centralized security manager via communications 
network 18. 

At step 210, the interesting packet is logged into a packet database associated 
with the centralized security manager. At step 212, the centralized security manager 
may determine whether the communication session with which the interesting packet 

25 is associated is a new session or an established session. This decision is described in 
greater detail below with reference to FIGURE 6. If it is determined that the 
communication session is an established session, no action is taken by the centralized 
security manager at step 214. However, if it is determined that the communication 
session is a new session, the centralized security manager determines whether the new 

30 session is valid or authorized at step 216. This determination is described in greater 
detail below with reference to FIGURE 7. 
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broadcast by a wireless access point or client, such as a probe frame transmitted by a 
wireless client in search of a wireless access point. 

If it is determined that the packet is a data packet, the packet may be split at 
step 232 to extract interesting portions of the packet. The interesting portions of the 
packet may then be formatted at step 234 such that the interesting portions may be 
properly analyzed. At step 236, the formatted interesting portions may be compared 
with a database of data packet information to determine whether the communication 
session with which the data packet is associated is a new communication session or an 
already established communication session. 

Similarly, if it is determined that the packet is a beacon packet, the packet may 
be split at step 238 to extract interesting portions of the packet. The interesting 
portions of the packet may then be formatted at step 240 and compared with a 
database of beacon packet information at step 242 to determine whether the 
communication session with which the beacon packet is associated is a new 
communication session or an already established communication session. 

FIGURE 7 illustrates a method of determining whether a communication 
session with which an interesting packet is associated is valid or authorized, as 
described above regarding step 216 of FIGURE 5. At step 250, it may be determined 
whether the packet was originally communicated from a wireless client (such as an 
authorized or unauthorized client 26 or 38) or from a wireless access point (such as an 
authorized or rogue access point 22 or 36). In particular embodiments, this 
determination may include analyzing one or more bits in the packet that are turned on 
or off depending on whether the packet was communicated from a wireless client or a 
wireless access point. In one embodiment, the determination includes analyzing a 
25 portion of the MAC address associated with the packet. 

If it is determined at step 250 that the packet was communicated from a 
wireless client, the packet may be further analyzed at steps 252 through 256 to 
determine whether the communication session is valid or authorized. Alternatively, if 
it is determined at step 250 that the packet was communicated from a wireless access 
point, the packet may be further analyzed at steps 258 through 266 to determine 
whether the communication session is valid or authorized. 
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wireless access point matches the manufacturer of any authorized access point, such 
as described above regarding step 252. At step 260, it may be determined whether 
one or more particular security measures are turned on or off, such as described above 
regarding step 254. At step 262, it may be determined whether the SSID of the 
5 wireless access point matches the SSID of one or more authorized access points. At 
step 264, it may be determined whether the BSS MAC address of the wireless access 
point matches the BSS MAC address of one or more authorized access points This 
may include comparing the BSS MAC address of the wireless access point with a list 
of the BSS MAC address for each authorized access point. If the BSS MAC address 

10 of the wireless access point does not match the BSS MAC address of any authorized 
access point, it may be determined that the wireless access point is an unauthorized 
access point and that the communications session is thus unauthorized. 

At step 266, whether the wireless access point is broadcasting may be 
determined. In particular embodiments, authorized access points are configured to 

15 not broadcast signals. Thus, in such embodiments, if it is determined that the wireless 
access point is broadcasting signals, it may be determined that the wireless access 
point is an unauthorized access point and that the communications session is thus 
unauthorized. 

Thus, as shown in FIGURE 7, it may be determined that the wireless access 
20 point is an authorized access point and that the communications session is thus 
authorized if the manufacturer of the wireless access point matches the manufacturer 
of at least one authorized access point, the WEP associated with the wireless access 
point is turned on, the SSID of the wireless access point matches the SSID of the 
authorized access points, the BSS MAC address of the wireless access point matches 
25 the BSS MAC address of one of the authorized access points, and the wireless access 
point is not broadcasting signals. 

FIGURE 8 illustrates a method of analyzing an interesting packet locally at a 
wireless monitor to determine whether a communication session associated with the 
packet is valid or authorized, as described above regarding step 206 of FIGURE 5. 
30 For example, as described above regarding step 204 of FIGURE 5, an interesting 
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session being established. If a connection with the centralized security manager is not 
available at step 296, the monitoring device may wait at step 300 until a connection 
becomes available in order to pass the relevant records to the centralized security 
manager. The monitoring device and the centralized security manager may 
5 communicate with each other to keep their respective database updated or 
synchronized. 

Although an embodiment of the invention and its advantages are described in 
detail, a person skilled in the art could make various alterations, additions, and 
omissions without departing from the spirit and scope of the present invention as 
1 0 defined by the appended claims. 
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4. The system of Claim 1, wherein: 

the plurality of authorized devices includes a plurality of authorized wireless 
access points and a plurality of authorized wireless clients, each of the wireless access 
points operable to provide one or more of the authorized wireless clients access to the 
5 data network; and 

the centralized security manager further comprises a countermeasure module 
operable to prevent the wireless device access to the data network via each of the 
plurality of wireless access points if the wireless device is not one of the plurality of 
authorized devices. 

10 

5. The system of Claim 1, wherein the centralized security manager 
further comprises a countermeasure module operable to direct the wireless device to a 
honey pot if the particular wireless device is not one of the plurality of authorized 
devices. 

15 

6. The system of Claim 1, wherein the centralized security manager 
further comprises a countermeasure module operable to update a session database 
based on the determination of whether the particular communication session is valid. 

20 7. The system of Claim 1 , wherein: 

the plurality of authorized devices includes a plurality of wireless access 
points and a plurality of authorized wireless clients, each of the wireless access points 
operable to provide one or more of the authorized wireless clients access to the data 
network; 

25 the packet analysis module of the centralized security manager is further 

operable to determine whether the particular wireless device is a wireless access point 
or a wireless client based on the analysis of the at least one particular packet; and 

the packet analysis module of the centralized security manager is operable to 
determine whether the particular wireless device is one of the plurality of authorized 

30 devices by: 
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12. 



The system of Claim 7, wherein the packet analysis module of the 
centralized security manager is operable to determine whether the wireless access 
point is one of the plurality of authorized wireless access points at least by 
determining whether the wired equivalency privacy (WEP) associated with the 
wireless access point is turned on. 

13. The system of Claim 7, wherein the packet analysis module of the 
centralized security manager is operable to determine whether the wireless access 
point is one of the plurality of authorized wireless access points at least by 
determining whether the MAC address of the wireless access point matches the MAC 
address of any of the plurality of authorized wireless access points. 



14. The system of Claim 7, wherein the packet analysis module of the 
centralized security manager is operable to determine whether the wireless access 
point is one of the plurality of authorized wireless access points at least by 
determining whether the service set identifier (SSID) of the wireless access point 
matches the service set identifier of each of the plurality of authorized wireless access 
points. 

15. 

20 I6 ' ^ s y stem of C,aim 7, wherein the packet analysis module of the 

centralized security manager is operable to determine whether the wireless access 
point is one of the plurality of authorized wireless access points at least by 
determining whether the wireless access point is broadcasting packets. 
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22. The method of Claim 17, further comprising updating a session 
database associated with the centralized security manager based on the determination 
of whether the communication session is valid. 

5 23. The method of Claim 17, wherein the plurality of authorized devices 

includes a plurality of wireless access points and a plurality of authorized wireless 
clients, each of the wireless access points operable to provide one or more of the 
authorized wireless clients access to the data network; and wherein the method further 
comprises: 

10 determining whether the wireless device is a wireless access point or a 

wireless client based on the analysis of the at least one data packet; and 

wherein determining whether the communication session is valid comprises: 

if the wireless device is a wireless access point, determining whether 
the wireless access point is one of the plurality of authorized wireless access points; 
15 and 

if the wireless device is a wireless client, determining whether the 
wireless client is one of the plurality of authorized wireless clients . 

24. The method of Claim 23, wherein determining whether the wireless 
20 client is one of the plurality of authorized wireless clients comprises: 
determining the manufacturer of the wireless client; and 
determining whether the manufacturer of the wireless client matches the 
manufacturer of at least one of the plurality of authorized wireless clients. 

25 25. The method of Claim 23, wherein determining whether the wireless 

client is one of the plurality of authorized wireless clients comprises determining 
whether the wired equivalency privacy (WEP) associated with the wireless client is 
turned on. 
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32. A system for monitoring a wireless network, comprising- 

a security network including a plurality of monitoring devices coupled to a 

centralized security manager, the security network opercb.e to manage access to a 

data network associated with a plurality of authorized devices; 
wherein each monitoring device comprises: 

a packet sniffing module operable to receive packets communicated 
trom one or more wireless device; and 

a packet routing module operable to communicate one or more of the 
packets to the centralized security manager, and 

wherein the centralized security manager comprises 

a packet collection module operable to receive the one or more packets 
communicated from each monitoring device; 

a packet analysis module operable to: 

analyze the one or more packets; and 

determine based on the analysis of at least one particular packet 
assorted with a particular wireless device whether the particular wireless device is 
one of the plurality of authorized devices; and 

an alert module operable to communicate an alert if the particular 
wireless device is not one of the plurality of authorized devices. 
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34. A method of monitoring a wireless network, comprising: 

receiving one or more packets communicated from a wireless device at one of 
a plurality of monitoring devices operable to monitor at least a portion of a network 
comprising a plurality of authorized wireless access points and a plurality of 
5 authorized wireless clients; 

communicating at least one particular packet of the one or more packets to a 
centralized manager coupled to each of the plurality of monitoring devices; 

analyzing the at least one particular packet; 

determining whether the wireless device is one of the plurality of authorized 
10 devices based on the analysis of the at least one particular packet; and 

communicating an alert if the wireless device is not one of the plurality of 
authorized devices. 

35. The method of Claim 34, further comprising: 

15 determining whether the wireless device is a wireless access point or a 

wireless client based on the analysis of the at least one data packet; and 

wherein determining whether the wireless device is one of the plurality of 
authorized devices comprises: 

if the wireless device is a wireless access point, determining whether 
20 the wireless access point is one of the plurality of authorized wireless access points; 
and 

if the wireless device is a wireless client, determining whether the 
wireless client is one of the plurality of authorized wireless clients . 
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3 7. The system of Claim 36, wherein: 

each monitoring device further comprises a local session database operable to 
store a record regarding a particular communication session if the monitoring device 
determines whether or not the particular communication session is valid; and 

the centralized security manager is further operable to update a central session 
database based on the determination of whether the particular communication session 



is valid 
38. 



The system of Claim 36, wherein the packet routing module is 
operable to determine whether selected packets are to be analyzed by the monitoring 
devue or by the centralized manager by determining whether a connection is 
available for communicating the selected packets from the monitoring device to the 
centralized manager. 

" 39. The system of Claim 36, wherein each monitoring device further 

comprises an local alert module operable to: 

communicate an alert if it is determined by the monitoring device that the 
communication session is not valid; 

store a record of the alert communicated from the monitoring device- and 
communicate the record of the alert to the centralized security manager. 

40. The system of Claim 36, wherein each monitoring device further 
comprises an local alert module operable to: 

store a record regarding the communication session if it is detennined by the 
monitoring device that the communication session is valid; and 

communicate the record regarding the communication session to the 
centralized security manager; and 

whereto the centralized security manager is ^ operabJe to ' _ 

central session database based on ft. record regarding the comnrnnicadon session. 
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44. The method of Claim 41, further comprising: 

communicating an alert from the monitoring device if it is determined by the 
monitoring device that the communication session is not valid; 

storing a record of the alert communicated from the monitoring device; and 
5 communicating the record of the alert to the centralized security manager. 

45 . The method of Claim 4 1 , further comprising: 

storing a record regarding the communication session if it is determined by the 
monitoring device that the communication session is valid; 
10 communicating the record regarding the communication session to the 

centralized security manager; and 

updating a session database associated with the centralized security manager 
based on the record regarding the communication session. 
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49. Software for monitoring a wireless network, the software being 
embodied in computer-readable media and when executed operable to: 

receive one or more packets communicated from a wireless device, the one or 
more packets associated with a communication session; 

determine whether the communication session is valid, including: 

detennining the manufacturer of the wireless device based on the one 
or more packets; 

determining whether the manufacturer of the wireless device matches 
the manufacturer of at least one of the plurality of authorized wireless clients; 

detennining whether the wired equivalency privacy (WEP) associated 
with the wireless device is turned on; and 

detennining whether the MAC address of the wireless device matches 
the MAC address of any of the plurality of authorized wireless devices. 

15 5a 711(5 software of Claim 49, wherein determining whether the 

communication session is valid further comprises determining whether the service set 
identifier (SSID) of the wireless device matches the service set identifier of each of 
the plurality of authorized wireless devices. 

20 5L ^ software of Claim 49, wherein determining whether the 

communication session is valid further comprises determining whether the wireless 



10 



device is broadcasting packets. 
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